Looking at the demo, I noticed they’re directly using the shop field from the session as the store identifier. They’re even using this same shop field as the store identifier in the QR code table.
model QRCode {
id Int @id @default(autoincrement())
title String
shop String
productId String
productHandle String
productVariantId String
destination String
scans Int @default(0)
createdAt DateTime @default(now())
}
// loader:
export async function loader({ request }) {
const { admin, session } = await authenticate.admin(request);
const qrCodes = await getQRCodes(session.shop, admin.graphql);
return json({
qrCodes,
});
}
// db:
export async function getQRCodes(shop, graphql) {
const qrCodes = await db.qRCode.findMany({
where: { shop },
orderBy: { id: "desc" },
});
if (qrCodes.length === 0) return [];
return Promise.all(
qrCodes.map((qrCode) => supplementQRCode(qrCode, graphql))
);
}
I’m currently developing my own app and have completed some of the features. I’ve been using session.shop
as the store identifier, but now I’m worried that this might not be the most reliable approach.
I’m wondering if it’s safe to use session.shop
like in the demo. Is this shop field unique and tamper-proof for each store? Or should I be making GraphQL calls every time to fetch the shopId just to be on the safe side?